Building Securable Infrastructures

okay all right so thank you to everyone who could not get tickets to Rafael's Cobalt strike class I appreciate you being here um my name is Steve Aiello and uh I will be talking about building securable infrastructures so before I start I kind of like to get to know my audience a little bit so I want to ask a couple questions how many people here work in the security space proper like that's how you get paid like that's what your paycheck is from wow a lot of you okay it's more than I expected so how many are CIS admins that are also responsible for security in their environment oh man this is like totally not

applicable it's like 90 but hopefully you will have something to talk about for the people that you work with and actually I hope that you will uh really take something away from this because it's very very important um how many people when they decided to get into it said I'm going to go to college and I'm going to take classes or I'm going to do cough cough mcse and get a useless piece of paper um you know how many of you decided this is what I'm going to do and I'm going to school for this and that's how you started okay that's about what I expected that's about what I expected and how many said

I really like computers and you started tinkering around and you got some books and you eventually found work because you were the computer guy or girl how many did that okay so pretty pretty significant number okay I'm kind of surprised um so a little bit about me I've been doing this for a long time um this is my three most recent I've been doing it work seriously as an admin for almost 17 years I started off right right basically when I was out of high school but um you know my my career took a real big uh turn and in my three last positions uh one was this company called Focus one data and uh essentially we had financial

and Health Care data so you know anything PCI Banking and Healthcare this company had it it was really small company uh it was out in Dearborn if you ever need to do debt collection letter printing for medical procedures that the people had to do this is the company that did it and so um we had a you know and hippo was really coming in onto the scene in this time period right it wasn't HIPAA high tech it was like old school HIPAA where you just like they hoped you were doing something um but the company that I worked for took it very seriously uh so they sent me to a lot of training right away

um and I learned a lot about the HIPAA space and the it was a really wonderful place to be able to learn and grow and I was the windows guy I was the Cisco guy I managed all of her firewall probably like a lot of you you're wearing many many hats and that's what I did there and then I worked uh at ADP does anybody here work for ADP God [ __ ] like that place is like China or whoever you know pick your nation state of choice so ADP does 74 of the world's payroll in some way shape or form according to the Nate they do the Navy's payroll thereby the Marines the Army the

Air Force how how long before our armed service members are going to stop taking bullets if their wives aren't getting paychecks it's it's a it's a very very interesting space there um but since I was the only one who really knew anything about compliance when I moved to ADP they're like well you know about compliance and we have this stuff like it was sarbanes-oxley back then now it's uh see you know all the different SAS stuff um SAS 70 and ISO 27 000 I got not stuck I actually ended up really liking it I got um to work with our Auditors KPMG and Delight in touch and so I worked with our security team there and we

essentially you know there was no real good Sim product back in 2004 there was no real good log aggregation uh analytics log analytics packages back then so I wrote one and that's what I did for my first four years at ADP we had it started off at about 15 000 servers and scaled out to about 60 000 servers and every week we dumped every single log from every single Linux Unix and Windows server in our environment I imported into a massive SQL database I worked with our DBA team to write uh time-based queries to look for certain events of interest and at the end of the week it spit us out a report of actionable items and then we would go

and investigate those items and um I got I was really proud of it um DNT said it was a great system it was totally custom and then we had a reorg and they were like nope uh corporate's going to do this and you're going to be a regular system admin again and I was like oh you guys suck um because it wasn't really very fun um I supported a lot of java apps right if any of your HR people use ADP I know a hundred percent assuredly you have Java running on the computers with your most sensitive data on it I guarantee it because I supported all their products now I work at a company called online

tech and we focus mostly in the PCI and HIPAA space I've been there for about 18 months very cool company and we we're kind of uh we're not really like a rack space we're kind of like an operating system as a service company and we'll do like AV we'll do log review for you so if you have projects and you're like listen we need to stand up a massive VMware environment we need an environment uh don't quote me on this because I'll get in trouble um but we need an environment and we need to be able to turn up 500 machines it needs to be private Hardware we need to you know be HIPAA compliant PCI

Compliant whatever it is sand infrastructure whether it's ecologic EMC blade whatever we're a Dell shop and we need to do it in like 30 days and you don't want to spend a million dollars in capex will like amortize you know we'll spread that out for you it's really cool company and we've got about 50 people um and it's like we just you know had symmetrics which is wicked awesome to play with which is also a security vulnerability I'm going to talk about it um so these are this I've always been in the data center space um minus Focus one um I've always been in really really big environments thousands and thousands of servers and you run into some really

hard um challenges in these spaces so does it work maybe not too far okay so this is um all the crap that really nobody cares about apparently Eve doesn't like any of the certs I don't know if she's here um yes I have my cissp I actually do think it's valuable I learned a lot if you have the technical knowledge already for what they're trying to teach you if you don't have the technical knowledge and you're a pen tester or an offensive person that sort is worthless I do have my sisa um if you do your cissp I don't even really recommend studying you can just go past it um I'd have my gsac I'm a huge VMware

guy I do not work for VMware but uh I do suckle at the teeth of VMware I think it's a great product um and I I started off my career as a network guy but all my network guys kind of tease me they're like oh it's expired you did it you did it when it was cat OS and I'm like yeah [ __ ] was hard right so and I have some other search that nobody really cares about um so all right when either I do a presentation and Ben are you still here oh man okay whenever I do a presentation I really like to start off with a quote and my great concern is not whether you

have failed but whether you are content with your failure Abraham Lincoln and if you know anything about the Civil War the north was not doing very well in the beginning of the Civil War it was looking very very Bleak until they got their act together and that's where I think the state of computer security is today it's very very bleak and um so this is and I when I saw this on Ben's slide I'm like oh dude you suck so in my opinion what do Febreze and I.T security have in common it's not that I.T security stings but we cover up a lot of stuff that stinks systems Engineers proper do not know how to engineer

they they don't if you walk into an environment large and you go up to the dude with engineer or woman with engineer in his title and you ask him or her how he got there essentially it was he just had enough time and he's lived or she's lived they've done enough projects and they've just got now the word engineer in their title because they hit a certain pay grade and they had to make and put them in a new position and I think that that's a big big problem and apparently there's some really smart people that agree with me so this will actually I love I am kind of an academic um so this came out May

24th and this was an article um I'm trying to remember where I read this I I have the link I can give it to you but there's an interview with Source fire and FireEye you guys probably know them voremetric is an encryption based company and brocade who is a sand fabric switching company right their infrastructure and I thought this was really interesting he said we've tried to make these devices more secure by putting AV on them by putting controls in the network that prevent breaches and the fact is the bad guys just figure out ways around them right of the 60 billion dollars that the industry spends on I.T security they detect one in 20

compromised devices right oh it's on the register there you go so 60 billion dollars a year we're spending on this stuff 60 billion dollars we are spending on computer security we have a rampant rampant security breaches and we're only able to detect five percent of when this happens this is like failure I mean you that's is that that's not even like a d-minus in school if you get a five percent in your class now to put this into perspective the NFL right um makes six billion dollars a year so we're spending 10 times what the NFL spends on this stuff and we we a we have a ton of breaches and B when we do get

breached we can only detect it five percent of the time this to me is a problem so I've actually been thinking about this talk for a really long time and I've wanted to do it um so when Wolfgang approached me about talking to b-sides or actually I think my market one of our marketing people um asked me if I want to present here I said yeah absolutely and I've started I've been thinking about this talk since 2011. and I'm a huge huge Bruce Schneider fan like uh he's just amazing but you rarely ever hear him talk about technical things other than crypto but one of the things that he did this is a tedx talk and again I'll give you

all these URLs because a phenomenal talk um he did it in 2010 but it was posted in 2011 and schneier was talking about the feeling of security and there security is a trade-off between feeling secure and you can feel like you're secure but not and you can be secure and not know it and I think that this is something that is a systemic issue with our industry we buy products we buy software appliances that make our Executives that make us feel secure we can quantify we spend seventy thousand dollars on an improval WAFF so WAFF there's a box there we can touch it we can point to it that makes us more secure spend 70 grand on a on a firewall IDs

IPS solution right you can see it we can touch it it's downloading the signatures from somewhere and it's making us feel more secure but 60 billion dollars that we're spending and a very very low success rate I would say we're not really more secure maybe we just feel more secure then there is another one this is really what got me thinking in in the line that I've been thinking last year I went to Defcon 20. first time ever there um really really good and there was one gentleman's presentation that really stood out to me and he was a coder for the NSA and he was talking about is is a phenomenal talk again I would absolutely

recommend that you watch it and I and let me let me kind of say this I hope this talk makes you think differently about designing infrastructures this is what my objective is so hopefully you go out after you you know after this talk and you watch all these things and think differently about it infrastructure and what he was talking about is this was the first A1 security Kernel it was a whole operating system so how many seats I mean everybody close your eyes so you won't make fun of the cisps how many cissps are in here there's a couple who else knows what the A1 what an A1 rating is in the common criteria and why that's impressive for

an operating system so A1 evaluated product means that your product has to operate it has to begin in a secure state it has to operate and even fail in a secure state so it's like is this open source it's called ksos It's For What It's the operating system that runs the nuclear missile silos the nuclear subs right and mathematically this wicked smart gentleman amazing he he was working at Sony right when they were like getting owned over and over and over it was pretty funny um but he said it's this is open source it was a complete operating system that fit into like 32k of memory and they went through the mathematical proofs to guarantee that the operating system

was never insecure very different than how we design and think about and conceptualize our networks we accept insecurity and we tried these bolt-on products after the fact to compensate for our accepted insecurity and that's a problem right that's a problem so I started thinking about this and I went to secure world in 2012 I was on a panel there and I started asking all these software vendors because I just got back from Defcon I'm like man this guy's Wicked smart like he wrote a legitimately secure operating system like that's really impressive to me so I started asking the vendors there I said uh what's the least privilege on my systems that I can run your software

with it like and these are security vendors they're like Well yeah if you run the management interface you really need to run it as administrator so let me see a problem with that right what's your policy on application availability due to OS patching how many of you here have worked in a company and you've had a really critical application and your software vendor says oh no no you cannot patch your OS we do not support that you have to wait until we tell you you can patch your OS that's a problem that's a problem do your products require Adobe or Java plugins for your management interface nessus what the heck why are you written in Flash

right and I'm talking to all these security vendors and I'm asking what is your management interface written in for your firewall every single one of them except tripwire said Java or adobe flash why would I buy your product ridiculous and then finally what two-factor Solutions does your product integrate with two factors I mean it's you have to have it nowadays it's ridiculous so I started thinking about all this stuff and I was like man we are in a really bad spot really really bad spot is infrastructure Engineers I'm an infrastructure guy but I care deeply about security and I went over for an interview uh we're pretty pretty well known um security team in the area

and um it was a security job proper and they said you know we would really like to hire you but how would you feel not building you know a lot of guys like you you like to build you like to create things and I said well I don't know how is your relationship with your infrastructure team and they like looked at me with like dough you know deer eyes like they had no idea what I was talking about if you don't have the concept of building insecurity from the start your Security Programs will fail right but there are people you know generally the government because they have very high stakes that think about these things differently and we as a

community as infrastructure as Engineers we need to start thinking about things differently and I think that we've seen this because of basically three problems one we have a horrible education track for infrastructure people it's it's horrible and we're going to do a little bit of comparison we don't understand or care to understand business needs and this is big this is very very big and because of this in most commercial environments Securities and afterthought because we're not we don't have the knowledge up front we're not trained to think of how to protect the business we're very reactionary and we need to stop this trend we need to stop this trend so I want to take a look at the

definition of a software engineer because there's a lot of traction now about developing better software right there's a lot of SQL code injection command injection this is other than the the phishing attacks and the human element that Ben talked about this is where you're getting a lot of the vulnerabilities Windows is not as bad as it used to be right so software engineering is the application of systematic disciplined quantifiable of quantifiable approach to design development operation and maintenance of software and the study of these approaches right it's the application of engineering principles into software development let's look at it's pretty reasonable let's look at a civil or structural engineer let's look at what what they do

college for the structural engineering student consists of math statistics Dynamics conceptual structural design materials engineering engineering Graphics computer-aid design and structural analysis so very different than what infrastructure people do design of structures with each of the common you're so you're evaluating the structures with each of the commonly used construction materials are explored so steel concrete Composites they need they can't just study the design what their building needs to look like they needed to study the materials that make up their design Frank Lloyd Wright brilliant broken brilliant architect horrible structural engineer falling water would have fallen over long long ago if you're into history the civil engineers add actually had to add steel reinforcement beams into falling water

because the design would just not stand up we've got a lot of Frank Lloyd rights out there not a lot of good Structural Engineers among and this is very important I'm actually really glad you've touched on this among the core classes at any University students find that they are required to study English right where this may not seem important to the engineering student it in fact is very important a lot of the structural engineers product uh is drawings and reports the ability to write clearly and concisely as an important skill to have in the engineers tool set I have met highly paid Engineers who cannot construct a sentence at the level of a fifth grader

and this is why we don't get respect from the business units in our organizations this is why we don't get buy-ins from our CEOs because we can't communicate with them and this is a problem so I took my first security proper class uh in 2002 and these were the two books I got and I was like who the [ __ ] is this Bruce Schneider guy so what book did I read and what book did I never read I read this book and I never opened this book but these guys they're still around right this guy hopefully everybody in this room knows who he is very different we're not thinking conceptually in how to build our networks from the ground up

stronger and because we have these these ideas right and these these mental models that exist uh in our perceptions of our work we have Cool Jobs and we have Lane jobs right everybody's like Yo dude I'm a pen tester I'll pop your box like this is basically how it is right they're not they made a movie called hackers they didn't make a movie about Pat the patch management engineer I mean I'm told this is totally serious or the guys that are like I do the IDS IPS I run the honey pots I do IR I mean like even a qsa is kind of cooler than an auditor right we have we build these perceptions about what the value of our jobs are

but the most important things before you ever get to any of this you better be doing these three things because if you're not if you're not logging and know how to turn on logs proper in Windows or in Linux well none of your IRT your IR guys aren't going to have anything to look at right if you're not patching then don't bother hiring a pen tester because if you have some old display you know if you've got Java code running you're why bother you know it's there if you're not doing backups you can't do a forensic analysis you can't recover the data that you lost because you know you weren't doing these other things but we make value judgments on this type

of work and generally we give it to the lowest dude on the totem pole we try to get out of that position as quickly as possible and we view it as lame that's a problem right that's a big problem so the result of all this is we have a lack of uniform design principles because our infrastructure Engineers are not taught design right we are not taught how to evaluate vendors we have zero to poor documentation if we do develop standards and kudos to you if you have actually gone past with most we have a hard time following our own standards and when we design environments I almost never hear anybody go okay well how are

we going to design this environment to be to maintain it how are we going to do backups in it that's generally an afterthought and this is systemic of 15 years working with lots of different companies um and you know we work with outside companies I see this all the time that's why you all have jobs all of you security proper people so how do we fix this right how do we find Solutions we need to change our strategy and we need to change our tactics and hopefully as Security Professionals you can go back to the admins that are working in your environment and you can start talking to them about changing strategy and changing tactics

first education it's poor it's very poor if you want to get buy-in from your management if you want to understand why your management is doing things pick up financial statements for dummies it's a book that I bought and I learned how to read financial statements and the the like crazy Wicked decisions that our CEOs would make and I totally didn't understand it once I looked at a profit and loss statement and a balance sheet and I understood the difference between capex and Opex you sitting here are so much more expensive than a seventy thousand dollar a year firewall and if someone sends you to fifteen thousand dollars worth of sans training right you can walk out the door and you

will probably get a big fat juicy pay raise at your next company and this is how Executives think and this is why we are in this I'm gonna buy an appliance I'm gonna buy some software mentality understand it leverage it I've talked to our HR person there is a term called Flight Risk are we going to invest in this person in our company if we perceive them as a Flight Risk it means they worry about your loyalty to the company and if they dump ten thousand dollars in training in you you could probably walk out the door and make twenty thousand dollars a year more somewhere else that's how businesses think know it understand it use it to your

advantage learn to write well my grammar is not great my commas and semicolons are appalling I'm working on it and learn how to write an executive summary we get really excited this is the place for me to come and talk about an hour you know for an hour about all these things that I really love and I'm really excited about our CEO will say you you have 10 words to explain to me what I need to do 10 words if we are in a like a critical situation we got hit with a DDOS three words we're under attack and he said I understand that do what you need to do this is important business people don't think like we

think and if we want to be successful if we want to get the respect if we want to make this an established well-regarded profession like a lawyer or a doctor or an accountant professions that have been around if we want to elevate the status of our job we need to understand this else we will be outsourced we will be laid off to the intern that comes out of college there's value and experience there's value in the learning process but many of us never get to this point and that's a problem so the point about the civil engineer that has to learn to evaluate materials how many of you have one of these products in your environment

show hands come on come on come on there you go I know all of you have for sure Adobe or Java in your environment what does that mean that means that that attack Vector that Ben was trying to guard it's exploitable and this is in essentially what we're doing when we accept these vendors into our environments we're building a house of cards we're setting ourself up for failure yes the the user training is phenomenal I I believe in it that one of the happiest days at work was when our payroll lady called me and she said ah Steve I need to show you this there's this thing and it was like you know when you how when you RDP into something and

it's like not a a true certain it goes this has not been verified she's like and I was like oh man that's awesome user training is important but we need to not accept the types of infrastructures that we're building is this strategy problem is a big deal so this I remember this it came out on my birthday on 2011. um 99.8 they took it was like an 18-month uh analysis that they did 99.8 of all virus and malware infections were caused by either Adobe or Oracle via Java 99.8 it's a big freaking number and I'm not proposing um what's his face from paulgott.com asadorian was like you can't say that companies need to get rid of java you're

right you can but you need to design for that right did you know that civil engineers need to be licensed in different states you cannot be a licensed civil engineer in Michigan and just go out to California and practice why anybody what is different about the environment this is something real specific absolutely you're on a fault line right the environment is different how you design structures in Michigan will be taking into fact cold salt right climate and yeah environment in California earthquake true yeah I guess it's true vector-based analysis how many of you use this your Security Professionals how many use vector-based analysis couple you got some good people it's good vector-based analysis um is the the way that a fender will get

to your data if you're doing Vector base based analysis you have to look at what you're protecting we're not protecting networks we're not protecting hosts we're not protecting applications we are protecting data does a Cisco 6500 with no data flowing over it mean anything no there's a window sir well I mean it could it could be used as a botnet but is a Windows host with no data on it worth anything no not really is the application with no data in it worth anything no we're protecting data this is very very important concept iron networks are so big how do we like find raw of our data is true story OSI model every single person I interview to work

with us I ask them about the OSI model and networking has been successful because the OSI model was designed to make big problems appear small you deal with it one piece at a time and that's why we have networking that's why we have the successes that we do right but a lot of people don't do this right I do a lot of bcdr stuff and the thing that I see over and over and over whether it's for a bank whether it's for a commercial organization whether it's for a college people have no idea what they're protecting they've got no clue I've seen people you know would go through the analysis of servers and we're okay well what are we going to

do for you what do we need to make sure that's online with a certain RTO RPO and they'll be like well we've got this open SMTP relay server that we need to make sure is in our our bcdr plan I'm like there's an open relay server for your customers internally and they're like yeah like what date is on that and they're like oh nothing it's just a you know just a relay server that we have I'm like why is that in your Dr plan you can have an intern come in and selling up in like 15 minutes it doesn't make any sense they have no clue what they're protecting same thing there was a bank I

was working with um I don't know there's a it was a file server there was also part of another company's bcdr plan and they're like this is a one is a huge terabyte file server had like tons and tons of Records on it and I start going through the data to evaluating what directories actually need to be backed up and there's like gigs of the HR ladies Christmas photos I'm like oh and you know that's cool if you want to give up people your people a place to store personal files that's awesome like cool for you man not on the financial not on the finance server because now there's like 800 gigs of data when like the little freaking

Finance files are like 50 gigs it's ridiculous but people aren't classifying their data and the same thing is a bank there's a mortgage uh I won't say too much there's a bank um and they had NTFS corruption on their file system and it was like a two point something terabyte server and this was the file server that housed 40 years worth of mortgage documents every check was scanned in you know banks have very stringent requirements and this was this was the place and I'm like okay where on the file server and they needed certain things restored quickly to conduct business I said where on the file server are your most critical information assets and they're like oh

we don't know this department each department kind of has their own folder and they put stuff kind of in their folder we don't really know what the folder structure is if you're not classifying your data if you're not managing where that data goes you can't be successful or if you are successful it's going to cost you so much more than it needs to and this is where I do think things like the cissp come into play the military does this if you're a commercial organization you have sensitive data you have confidential data you have private proprietary and public data where is my budget going to protect your data here nope why it's public I don't need I don't need to

ensure the confidentiality of that data I need to ensure the integrity and the availability of that data it's different up here sensitive I need to ensure the confidentiality of that data and the Integrity of that data should not be available to everyone this is where if you are an already technical person understanding these Concepts understanding these strategies if you apply them is useful if you're a pen tester you don't care about this you hope I don't know about this very very different mindset right other Corporation other Industries do this the first time I ever did a business continuity in Disaster Recovery talk it was for a supply chain management organization I.T is a very immature industry as far

as history goes accountants have been going back a long ways right people have been working with money for a long time Structural Engineers Been Around The Glory Days of the Romans right who remembers flying buttresses in your Western Civ class right I mean you know what I'm talking about you're smiling so at least I know I got one person I choose a new industry but there are other Industries where it is unacceptable to map the flow of your business if you're a supply chain organization and you're Walmart you need to know where every single product comes in from how it's going to funnel through your organization and how it's going to be presented to your end User it's

unacceptable not to know that it has to be unacceptable for infrastructure engineers and Security Professionals to not know how data flows through their Network and most don't and what also needs to be unacceptable is that we don't guide lovingly not as a jerk as Ben point out how that data flows through our Network my better half half she went to school for supply chain she has her MBA I learn a lot about it from mature careers there's no there's no wonder why Auditors are our I.T Auditors as well as Financial Auditors they're methodical they're precise they're trained to look at small irregularities that's what our IR people are they're methodical they're precise they're looking for small irregularities that

mean something bigger we have to turn and look and see what we can get from people that have been doing this stuff for a long time so what do we need to do right strategy perspective we basically can break down what should be going on in our Network we all who what where when why maybe the whys aren't ever going to be available to us but we need to know our authorize and unauthorized users that's the who what they're doing is accessing data where they're at is either on our networks or physical access and when can we Define some time-based policies temporal control is an amazingly powerful tool I don't know hardly anybody that uses it

I use it in my personal things I've had some customers that have let me implement it for them actually works very very well for certain Banks when you have jobs that are very traditional nine to five temporal-based policies are very very expect effective I want you to look at two things your Cisco ACLS how many people sorry stuff your marketing department walks out at 4 40 459 every day thank you one person's honest stuff is in our marketing department your most people there are certain departments they have very steady start and stop times if you're worried about data exfiltration your DLP system why do you allow traffic out of those subnets after close of business hours

time-based ACLS in Cisco you can say our working hours or let's say 7 A.M to 7 pm the ACL if it doesn't match that time window no traffic's going anywhere do you allow printers to go out to the internet amazing article in dark reading about data exfiltration running over printers you can't AV that stuff there's no patches for it I've been watching printers for a long time got a nice little web interface for you fully functioning TCP stack hacker Delight man why can those get to the internet never never never never shut things down tell people go home it's called work life balance and you're helping my security posture if you want to go home take your laptop

home we we do a lot of bring your own devices I think everybody does get off my network if you have workstations or you know traditional even easier assigning login hours to Windows this is huge this is huge right if you know that in general your employees should not be logging into HR Financial Health Care medical information outside of business Windows this is free this is free Cisco time-based ACLS are free know what you have I'm gonna skip these slides I didn't know how I would be on time so what I wanted to do is I wanted to take you through how I look at things when I try to design securable infrastructures and it's a work in

progress but and there's been some people that have kind of not totally go full bore as I've wanted to with this but I've got to do some of this and it's been pretty fun so people are familiar with NTR architecture right it's like does anybody are people familiar with interior architecture okay enter your architecture I didn't get a whole lot of hands so you have your web Farm there's really no General data that sits on your web Farm it's a front-end server you have your application server and you have either app or data we'll do two tiers here and then this is something that I put in because I thought it was fun I'll explain it

so on in a web server you know we're working at ADP there was no data that's held in the web Farm all the data is either in a Consolidated app and database tier or you have an app and database tier right and in this architecture you have your firewall in front you have your firewall in between the tiers um and we do have a WAFF and we have some really expensive IDs ips's but to be all I'm not that impressed with them um because they're they're just a tool uh and then I'm going to introduce the concept of a response server and I love VMware and I'll explain why I love VMware so let's in this environment we actually do

have our users that can never ever access this at all never they have to VPN in uh with two-factor authentication they have a a kind of like a deployment server you could think about it and everything is pushed from behind forward no access other than very very restricted is ever allowed here no access is ever allowed here and no access from the Internet is ever allowed here now there's some contextual problems that I'm going to talk about and how to do things like patching and so on and so forth so what we're using is we're going to use a combination of Technologies so Cisco private vlans there was a somebody said that the windows trust

folks were talking about private vlans so who knows what private vlaning is in Cisco it's free no the concept of private vlaning um is really quite powerful so you can put all of a type of server on VLAN 10. right but if you have a private VLAN even though all of those servers are on the same subnet on the same VLAN they cannot talk to each other so if you have the HR lady who has to have Java on her workstation because she's using some shitty ADP app and she gets hit with the drive by download she cannot propagate and infect all of those other workstations on the private VLAN free in Cisco use it

huge huge security benefit now you do have to have certain things and they're called uh promiscuous VLAN so like file servers and things like that but I would even say for your file server going back to the nerdy cissp it's the comp it's the combination of not using the same operating systems so they're not vulnerable to the same exploits so if you could have an NFS file server that's running an AV system to scan for viruses that may be your end users pick up but the file server itself is not going to be vulnerable that's a really great way to do things and Linux is free save yourself a Windows license it doesn't take that much to set up an

NFS export on a Linux box talk about VMware independent and non-persistent disks web servers with md5 hash logging to a remote server I personally use snare it's free and using power CLI which is an extension of Powershell to connect to the vcenter server I'm gonna explain to you how this works and this is my this is something I came up with I think it's awesome I will be happy to go Toe to Toe with any pen tester that wants to breach my lab Network I'll take you up on it I'm going to show you how it works so you have firewall it could be a firewall we happen to use a WAFF as well okay but I would say firewall is fine

you have your web Farm on our web Farm we have load balance servers right we happen to use a specific vendor it can check to make sure that the Apache process is running and it will take servers dynamically in and out of the load balance pool when it sees one goes offline this is important also have a process you could write it in Python it could be a bash script however you want to do it it takes md5s of all the critical files on our web Farm because if you have web-facing services and you're delivering content mostly you're worried about availability and integrity not really worried about confidentiality if you have a public-facing website okay

you could be creative you could use osac we actually use osak in our environment as well what happens md5s are calculated every X minutes it could be five it could be ten it could be however paranoid you want it to be md5s are shipped over to a logging and response server md5s are compared this is a Windows Server I grew up in a Windows environment and I love Powershell and power CLI it plays very nicely with VMware there is a concept of a non-persistent disk in VMware how many times or how much should the data here be changing in an anterior architecture yes not hardly ever only when you patch right so everybody's moving to the cloud

anyway everybody wants to deploy servers as quickly as possible you run with this concept so in our environment we can spin off web servers very quickly you can deploy them from template and get them online almost immediately so you get your first web server exactly how you want it you know it's in a clean and pristine State you take md5s of all the files and